Certbot renew hook not firing

Hi Guys,

Currently using Certbot from the Debian package on Debian 8. It all works fine except the renew process. The renew process is triggered from cron, and I have a renew hook. The renew process works fine, but the hook isn’t getting fired. If I run the hook manually it works. Here is my Cron file:

/etc/cron.d/certbot: crontab entries for the certbot package

Upstream recommends attempting renewal twice a day

Eventually, this will be an opportunity to validate certificates

haven’t been revoked, etc. Renewal will only occur if expiration

is within 30 days.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 /12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e ‘sleep int(rand(3600))’ && certbot -q renew --renew-hook "cp /etc/letsencrypt/live/server.domain.com/{fullchain.pem,privkey.pem} /etc/exim4/ && chown root:Debian-exim /etc/exim4/.pem && chmod 640 /etc/exim4/*.pem && service exim4 reload && service nginx reload"

Thanks,
Andrew.

I think the problem may be the use of shell syntax inside the renew-hook. I haven’t figured out exactly what will happen in this case but I don’t believe the Python subprocess.Popen uses bash to run the hooks.

Certbot’s hooks.py clearly uses this method to execute the hook; I checked with

subprocess.Popen("echo {foo, bar, baz}", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE).stdout.read()

and it returned "{foo, bar, baz}", which then confirms that bash syntax like that can’t be used in a renew-hook. I would suggest making your own separate shell script and then running that script as the renew-hook.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.